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Abstract 

The  rise  in  terrorism,  corporate  espionage,  cyber  attacks,  and  federal  fiscal 
constraints  play  an  important  role  in  the  federal  construction  process.  The  risks 
associated  with  these  occurrences  are  studied  to  aid  in  the  risk  management  of  the 
military  construction  process.  This  paper  presents  the  status  of  research  into  these  areas 
to  identify  how  methods,  policies,  applications,  and  information  obtained  from  case 
studies  can  be  used  by  stakeholders  to  manage  risk  in  the  United  States  Air  Force 
construction  process. 

The  author  reviewed  research  on  risk  associated  with  four  essential  components 
of  the  military  construction  process  -  Critical  Infrastructure,  Information  Technology, 
Contracts,  and  Cost  in  the  construction  and  related  industry.  This  study  focused  on  the 
methodology,  management  policy,  areas  of  application,  and  case  studies  research  of  the 
construction  and  related  industry. 

Keywords:  Risk  Assessment,  Risk  Analysis,  Risk  Management,  Construction,  Critical 
Infrastructure,  Information  Technology,  Contract,  Cost,  Threat,  Vulnerability, 
Consequence 
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RISKS  ASSOCIATED  WITH  FEDERAL  CONSTRUCTION  PROJECTS 


I.  Introduction 


Background 

Risk. 

Risk  is  an  inherent  aspect  of  any  operation  and  it  must  be  considered  during  the 
planning  and  execution  of  military  construction  (MILCON).  Roper  (2008)  defines  risk  as 
"the  potential  for  damage  or  loss  of  an  asset."  It  is  a  function  of  threat,  vulnerability,  and 
consequence  (Volpe  Center,  2003).  In  order  to  identify  risk,  a  risk  analysis  is  perfonned 
to  evaluate  combinations  of  threats  and  vulnerabilities  to  determine  the  probability  for 
loss  consequences.  Risk  management  is  the  process  of  using  the  information  from  a  risk 
analysis  to  make  decisions  on  addressing  risks.  The  primary  method  to  manage  risk  is  to 
implement  mitigation  measures  to  reduce  the  probability  of  the  risk  occurring  or  to  accept 
the  consequences  of  the  risk  occurring.  The  concept  of  risk  is  based  on  a  subjective  scale 
and  is  rated  terms  of  relative  risk  where  the  probability  of  risk  occurring  varies  according 
to  changes  in  the  risk  components. 

In  construction,  risk  and  its  components  affect  key  aspects  of  the  construction 
process — Critical  Infrastructure  (Cl),  Information  Technology  (IT),  Contracts,  and  Cost. 
These  components  are  interrelated  and  combine  to  form  the  overall  construction  process. 
However,  individually  they  are  subjected  to  specific  risks. 

Critical  Infrastructure. 


Cl  refers  to  the  wide  array  of  physical  assets,  such  as  facilities,  electric  power 
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systems,  telecommunications,  utilities,  logistics  networks,  and  any  other  systems  or  sub¬ 
systems  that  is  essential  for  an  organization  to  function  (Gorman  et  al.,  2003.) 

Information  Technology. 

The  definition  of  IT  in  this  study  refers  to  the  hardware,  software,  networks, 
computer  systems,  and  supporting  facilities  that  is  used  to  gather,  process,  store,  and 
distribution  information.  Although  there  are  specific  software  and  processes  for  IT  in 
construction,  IT-related  risks  are  similar  in  other  industries. 

Contracts. 

Contracts  are  legal  agreements  between  parties  in  which  a  promise  is  made  for  the 
performance  of  an  obligation,  which  is  legally  recognized  (Ansley  et  al.,  2009).  For 
United  States  Air  Force  (USAF)  MILCON,  it  is  the  agreement  between  an  Architecture, 
Engineering,  and  Construction  (AEC)  firm  and  the  contracting  agent  for  the  USAF.  In 
this  study,  the  United  States  Army  Corps  of  Engineers  (USACE)  performs  the  contracting 
and  project  management  function  for  the  USAF. 

Cost. 

The  cost  of  a  project  plays  a  crucial  role  in  federal  construction  since  there  are 
specific  rules  for  commitment  and  obligation  of  federal  funds.  This  research  involves 
MILCON  projects,  which  are  capital  improvement  projects  that  cost  $750,000  or  more 
(AFI  32-1022)  and  must  be  approved  by  United  States  Congress. 

Research  Questions 

This  thesis  will  investigate  the  risks  associated  with  federal  construction.  The 
construction  industry  is  very  diverse  with  many  types  of  risks.  The  details  of  some  of 
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these  risks  are  not  known  and  this  research  intends  to  detennine  these  details  by  seeking 
answers  to  the  following  questions: 

1 .  What  are  the  risk  associated  with  the  integration  of  Cl,  IT,  contracts,  and  cost 
in  construction  project? 

2.  What  are  the  factors  that  cause  risk  in  these  areas? 

3.  How  can  these  factors  be  identified? 

4.  Can  the  risk  in  these  areas  be  mitigated? 

5.  What  is  the  cost  to  mitigate  the  risk? 

6.  What  is  the  cost  of  not  mitigating  the  risk? 

Scope 

This  research  will  study  the  risks  in  federal  construction  by  focusing  on  the  USAF 
MILCON  process.  The  research  will  concentrate  on  the  design-build  method  of  project 
delivery  where  all  projects  are  designated  MILCON  and  where  the  USAGE  perform 
contracting  and  project  managing  function  for  the  USAF.  A  significant  portion  of  this 
research  will  study  the  specific  risks  involved  in  the  implementation  of  a  new  design 
process  in  the  USAF.  Since  constructing  techniques  and  processes  are  similar  to  non- 
federal  construction,  the  research  will  also  investigate  non-federal  construction. 

Approach 

The  research  for  this  thesis  was  completed  in  two  major  phases.  The  first  phase 
involved  an  extensive  literature  review  and  the  second  phase  involved  a  risk  analysis  of 
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the  implementation  of  a  new  design  process  in  the  USAF.  The  risk  analysis  was  done 
using  knowledge  gained  from  the  literature  review. 

The  literature  review  was  done  by  separating  the  four  major  components  of  the 
MILCON  process— Cl,  IT,  Contract,  and  Cost,  and  determining  the  status  of  research  of 
risk  in  these  areas.  All  studies  were  sorted  into  methodologies,  management  policies, 
areas  of  application,  and  case  studies.  The  risk  analysis  studied  the  risk  associated  with 
the  implementation  of  Building  Information  Modeling  (BIM).  BIM  is  a  design  process 
that  is  being  implemented  by  federal  agencies  including  the  USAF. 

Preview 

This  thesis  follows  the  scholarly  article  fonnat.  The  chapters  contain  articles  and 
details  on  how  the  articles  were  developed.  Chapter  I  provides  an  overview  of  risk  and 
its  components  along  with  details  on  the  research  structure.  Chapter  II  is  an  extensive 
literature  review  of  risk  research  involving  construction.  Chapter  III  is  a  research  paper 
of  a  risk  analysis  of  the  implementation  of  BIM  in  the  USAF.  Chapter  IV  provides  a 
summary  of  the  research,  the  status  of  the  research  questions,  and  areas  that  would 
benefit  from  further  research. 
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II.  Literature  Review  of  Risk  in  Construction 


Critical  Infrastructure 

Critical  Infrastructure  (Cl)  covers  a  wide  range  of  entities  and  includes  facilities, 
networks,  utilities,  logistics  systems,  cyber  systems,  communication  processes,  and 
geographical  nodes  (Gorman  et  al.,  2003).  This  research  focuses  on  Cl  as  it  relates  to 
construction,  repair,  or  maintenance  that  occurs  on  federal  installations  and  work  done  on 
behalf  of  the  United  States  Government  by  the  Architecture,  Engineering,  and 
Construction  (AEC)  Industry.  Since  the  AEC  performs  the  work  in  large  nonfederal  Cl 
projects,  research  on  the  AEC  operations  is  also  reviewed.  A  summary  table  is  presented 
at  the  end  of  each  section. 

Methodology. 

The  majority  of  research  of  risk  in  Cl  involved  the  methods,  tools,  frameworks, 
and  models  used  to  study  risk  assessment  and  risk  management.  Busuttil  and  Warren 
(2003)  presented  the  fourth  generation  step-wise  security  risk  analysis  methodology  for 
application  in  Critical  Information  Infrastructure  Protection  (CUP).  The  methodology 
demonstrated  effectiveness  in  mid-level  applications  and  the  authors  suggests  that  it  will 
be  more  effective  in  high-level  infrastructure.  Sholander  et  al.  (2006)  and  Ball  et  al. 
(2005)  presented  models  for  risk  assessment  based  on  the  treatment  of  a  Cl  as  a  system. 
Sholander  et  al.  (2006)  developed  a  risk  assessment  model  to  analyze  integrated  CIs  that 
contained  physical  and  cyber  elements.  The  study  found  that  risk  analysis  requires 
integration  of  consequence  and  vulnerability  estimates  to  detennine  the  potential  Cl 
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impact.  Ball  et  al.  (2005)  conducted  an  integrated  review  of  approaches  to  modeling, 
simulation,  and  analysis  of  Critical  Infrastructure  Systems  (CIS)  as  employed  by  the 
Institute  for  Complex  Additive  System  Analysis  (ICASA).  The  review  help  produced  a 
process  for  CIS  application  of  control  tools  to  detennine  vulnerability  based  on  the 
relationship  among  inputs,  parameters,  states,  and  outputs. 

Ulieru  and  Worthington  (2006)  developed  an  Adaptive  Risk  Management  System 
(ARMS)  model  based  on  a  holonic  structure  to  identify,  prevent,  and  response  to  threat  to 
CIs.  The  authors  stated  that  the  model  had  the  capability  to  learn,  respond,  and  adapt  to 
new  threats. 

Bagheri  et  al.  (2007)  used  the  Agent-based  Interdependency  Modeling  and 
Simulation  (AIMS)  simulation  architecture  to  study  interdependencies  among  CIs.  The 
authors  claimed  that  the  study  provided  a  better  understanding  of  Cl  behavior  by 
analyzing  the  services  provided  by  the  Cl  and  their  sub-systems. 

Several  other  methods  were  developed  to  investigate  specific  aspects  of  risk  in  CI. 
Bagheri  and  Ghorbani  (2007)  studied  the  adaptive  socio-technical  systems  of  CIs  using 
the  Astrolabe  Methodology  which  focused  on  deviation  of  a  system  from  its  original 
goals.  The  study  allowed  risks  to  be  properly  classified  so  analysts  can  make  appropriate 
mitigation  strategies. 

Crowther  (2008)  and  Setola  et  al.  (2009)  used  Input-Output  Inoperability  Model 
(IIM)  to  study  CI  risk.  Setola  et  al.  (2009)  used  this  model  to  assess  dependencies  and 
interdependencies  of  CIs.  The  model  was  effectiveness  was  demonstrated  in  a  case  study 
of  Italian  CI  sectors.  Crowther  (2008)  used  the  decomposition  of  the  IIM  to  investigate 
decentralized  risk  management  for  strategic  preparedness.  The  study  provided  insights 
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into  the  decentralized  risk  management  process  in  the  context  of  preparedness  costs  and 
economic  resilience. 

Guikema  (2008)  studied  risk  analysis  of  Cl  caused  by  natural  disaster  using 
statistical  learning  theory  by  making  use  of  large  datasets  from  complex  CL  The  study 
concluded  that  statistical  learning  theory  methods  can  be  used  for  real-time  monitoring  of 
infrastructure  systems  to  detect  abnormal  behavior. 

Vugrin  et  al.  (2010)  used  optimal  recovery  sequencing  to  assess  Cl  resilience. 

The  researchers  formulated  a  bi-level  optimization  problem  for  infrastructure  network 
problem  to  identify  recovery  nodes  and  sequences.  The  application  was  tested  on  a 
national  railroad  model  and  a  supply  chain  for  Anny  munitions  production. 
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Table  1  Summary  of  research  on  Methods  in  Cl  Risks 


Author  (Year) 

Research  Method 

Synopsis 

Busuttil  and 
Warren  (2003) 

Step-wise  security  risk 
analysis 

Demonstrated  effectiveness  in  mid-level 

Cl  applications 

Ball  et  al. 

(2005) 

Cl  studied  as  a  system 

Detennine  vulnerability  based  on  input, 
parameters,  states,  and  outputs 

Uilieru  and 
Worthington 
(2006) 

Adaptive  Risk 
Management  System 

Authors  stated  that  the  model  had  the 
capability  to  learn,  respond,  and  adapt  to 
new  threats 

Sholander  et 
al.  (2006) 

Cl  studied  as  a  system 

Integration  of  consequence  and 
vulnerability  can  determine  Cl  impact 
estimate 

Bagheri  et  al. 
(2007) 

Agent-based 

Interdependency 

Modeling  and  Simulation 

Provided  a  better  understanding  of  Cl 
behavior 

Bagheri  and 

Ghorbani 

(2007) 

Astrolabe  Methodology 

Allowed  for  risks  to  be  properly  classified 
so  analysts  can  make  appropriate 
mitigation  strategies 

Crowther 

(2008) 

Input-Output 

Inoperability  Model 

Provided  insights  into  decentralized  risk 
management  based  on  preparedness  costs 
and  economic  resilience 

Guikema 

(2008) 

Statistical  learning  theory 

Developed  real-time  monitoring  of 
infrastructure  systems  to  detect  abnormal 
behavior 

Setola  et  al. 
(2009) 

Input-Output 

Inoperability  Model 

Demonstrated  dependencies  and 
interdependencies  of  CIs 

Vugrin  et  al. 
(2010) 

Optimal  recovery 
sequencing 

Identify  recovery  nodes  and  sequences 

Management  Policy. 

Management  policy  is  a  critical  factor  in  risk  management  and  several  studies 
presented  various  aspects  of  management  and  how  decisions  affect  risk  in  CL  Several 
government  research  studies  (Wimbish  and  Sterling,  2003;  Moteff,  2005;  and 
D’Agostino,  2008)  outlined  risk  analysis  and  management  of  the  national  critical 
infrastructure.  Wimbish  and  Sterling  (2003)  outlined  the  function  of  the  National 
Infrastructure  Simulation  and  Analysis  Center  (NISAC).  The  NISAC  educates  strategic 
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leaders  on  the  national  infrastructure  and  how  it  is  affected  by  government  policies  and 
action.  Moteff  (2005)  studied  how  risk  management  and  Critical  Information  Protection 
(CIP)  functions  under  the  Homeland  Security  Act  of  2002.  D’Agostino  (2008)  presented 
findings  to  the  Government  Accountability  Office  that  Department  of  Defense  risk 
analysis  had  omitted  several  high  sensitive  assets  related  to  CL 

Other  researchers  studied  types  of  management;  Le  Grand  et  al.  (2004)  and 
Caldeira  et  al.  (2010)  studied  the  interdependencies  of  large  CIs  and  how  policy-based 
management  is  used  in  vulnerability  assessment  and  CIP.  Le  Grand  et  al.  (2004)  study 
formulated  security  policies  that  can  be  implemented  under  the  policy-based  management 
in  CIs.  Caldeira  et  al.  (2010)  focused  on  the  quality  of  infonnation  exchange  between 
interconnected  CIs. 


Table  2  Summary  of  research  on  Management  Policies  in  Cl  Risks 


Author  (Year) 

Management  Policy 

Synopsis 

Wimbish  and 
Sterling  (2003) 

The  function  of  the 
National  Infrastructure 
Simulation  and  Analysis 
Center 

Educates  strategic  leaders  on  the  national 
infrastructure 

Le  Grand  et  al. 
(2004) 

Policy-based 

management 

Fonnulated  security  policies 

Moteff  (2005) 

CRS  Report  to  Congress 

Assessing,  Integrating,  and  Managing 
Threats,  Vulnerabilities,  and 

Consequences 

D’Agostino 

(2008) 

GOA:  Defense  Critical 
Infrastructure 

Department  of  Defense  risk  analysis  had 
omitted  several  high  sensitive  assets 
related  to  Cl  had  the  capability  to  learn, 
respond,  and  adapt  to  new  threats 

Caldeira  et  al. 
(2010) 

Policy-based 

management 

Policies  can  enhance  risk  indicators 
accuracy 
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Areas  of  Application. 

The  overwhelming  amount  of  research  in  the  areas  of  application  of  risk  involved 
dependencies  and  interdependencies  among  CIs.  Researchers  conducted  studies  on  the 
various  aspects  of  interdependencies  with  the  focus  being  on  the  effect  of  impact  of  one 
Cl  on  other  interconnected  CIs. 

Conrad  et  al.  (2006)  developed  a  model  to  quantify  the  interdependencies  of  CIs 
for  evaluation  of  vulnerability  compensation  plans.  The  study  involved  assignment  of 
estimates  to  sub-system  component  of  infrastructure  and  applied  an  aggregate  scale  to  the 
Cl  using  system  dynamics.  The  authors  concluded  that  telecommunication  has 
significant  impact  across  all  affected  CIs. 

Daidone  et  al.  (2008)  investigated  redundant  architecture  for  Critical  Infonnation 
Protection  (CIP).  The  study  investigated  information  flow  among  infrastructure  sub¬ 
systems  to  determine  specific  dependencies  and  availabilities.  The  author  concluded  that 
the  parameters  chosen  for  the  detection  of  impacts  were  crucial  in  determining  the 
dependability  and  availability  of  the  Cl  system. 

A  study  of  Cl  survival  from  natural  disaster  was  done  by  Mao  (2009).  The  study 
investigated  the  factors  that  reduce  vulnerability  in  interdependency.  Interdependency 
and  control  strategy,  identification  of  cascading  pathways,  and  design  models  to  simulate 
disaster  were  factors  that  can  develop  strategies  for  emergencies. 

Interdependency  was  also  studied  by  Becker  et  al.  (2010).  The  authors  presented 
an  integrated  3-D  model  of  multiple  Cl  and  networks  to  analyze  risk  and 
interdependencies.  The  authors  claimed  that  the  model  will  support  risk  analysis  and  the 
planning  of  emergency  response  actions. 
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Owusu  et  al.  (2010)  also  studied  the  linkage  of  risk  propagation  in  Cl  due  to 
dependency,  interdependency,  and  multi-interdependency.  The  authors  developed  a 
binary  relationship  for  interdependency  and  showed  the  ripple  effect  of  an  impact  of  a  Cl 
and  helped  produce  a  method  to  estimate  the  value  of  risk  impact. 


Table  3  Summary  of  research  on  Areas  of  Application  in  Cl  Risk 


Author  (Year) 

Area  of  Application 

Synopsis 

Conrad  et  al.  (2006) 

Interdependencies 
vulnerability 
compensation  plans 

Telecommunication  sub-systems  have  a 
significant  impact  on  Cl 
interdependencies 

Daidone  et  al. 

(2008) 

Interdependencies 

redundant 

architecture 

Parameters  chosen  for  the  detection  of 

Cl  impacts  were  crucial  in  determining 
dependability  and  availability 

Mao  (2009) 

Interdependencies 
vulnerability  factors 

Interdependency  and  control  strategy, 
identification  of  cascading  pathways, 
and  design  models  to  simulate  disaster 
can  develop  strategies  for  emergencies 

Becker  et  al.  (2010) 

Interdependencies 
risk  analysis 

Developed  an  integrated  3-D  model  of 
multiple  Cl  to  support  risk  analysis  and 
the  planning  of  emergency  response 
actions 

Owusu  et  al.  (2010) 

Interdependency  risk 
propagation 

Produce  a  method  to  estimate  the  value 
of  risk  impact  caused  by  the  ripple 
effect  of  a  Cl 

Case  Studies. 

Case  studies  into  CIs  cover  a  wide  area  of  application  including 
telecommunication,  construction  security,  and  consequence  of  dam  breakage.  Gorman  et 
al.  (2003)  conducted  a  study  of  national  data  carriers  and  the  repercussions  of  targeted 
attacks.  The  study  focused  on  data  networks  and  the  spatial  implications  of  their 
susceptibility  to  these  attacks.  The  authors  stated  that  any  analysis  for  security  and 
economic  impact  must  include  regional  and  distance  variables. 
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The  tradeoff  between  risk  and  cost  for  Cl  at  a  construction  site  layout  was  studied 


by  Said  and  El-Rayes  (2009).  The  researchers  proposed  a  framework  for  the  planning 
and  security  of  the  site  by  using  four  phases — risk  identification  and  system  modeling, 
security  lighting  optimization,  security-cost  optimization,  and  performance  evaluation. 
The  study  concluded  that  cost  optimization  involved  balancing  cost  minimization  and 
risk  minimization. 

Needham  et  al.  (2010)  described  the  consequence  estimation  for  Cl  risk 
management  used  for  a  dam  failure.  The  authors  focused  on  the  process  of  dam  breakage 
flooding  modeling  conducted  by  the  USACE.  The  study  revealed  that  the  USACE 
method  for  dam  failure  analysis  and  consequence  estimation  was  scalable  and  could  be 
updated  and  refined  to  support  detailed  assessment  where  results  can  be  available  in  a 
few  days. 


Table  4  Summary  of  Case  Studies  of  Cl  Risks 


Author  (Year) 

Case 

Synopsis 

Gorman  et  al. 
(2003) 

National  data  carriers 
targeted  attacks 

Analysis  for  security  and  economic 
impact  must  include  regional  and 
distance  variables 

Said  and  El- 
Rayes  (2009) 

Risk  and  cost  tradeoffs 
for  Cl  construction  site 
layout 

Cost  optimization  involves  balancing 
cost  minimization  and  risk  minimization 

Needham  et  al. 
(2010) 

USACE  dam  failure 
flooding  analysis 

USACE  method  was  scalable  and  could 
be  refined  to  support  detailed 
assessment  and  produce  results  in  days 
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Information  Technology  Risk 


Since  IT  is  comprised  of  hardware,  software,  processes,  and  networks,  it 
application  in  construction  will  face  similar  risk  as  in  other  industry.  This  consideration 
can  be  used  to  evaluate  research  of  risk  in  various  industries  since  similar  IT  type  risk 
will  exist  in  the  construction  industry.  A  summary  table  is  presented  at  the  end  of  each 
section. 

Methodology. 

Several  researchers  studied  IT  risk  by  using  a  combination  of  several  methods. 
Rainer  et  al.  (1991)  studied  a  combination  of  qualitative  and  quantitative  risk  analysis 
methods.  The  quantitative  methods  include  annualized  loss  expectancy,  Livennore  Risk 
Analysis  Methodology,  and  Stochastic  Dominance  while  the  qualitative  methods  include 
scenario  analysis,  fuzzy  metrics,  and  questionnaire.  The  authors  concluded  that  the 
combination  of  risk  methods  was  more  flexible  and  covered  a  wider  range  of  IT  than  a 
single  method. 

Other  research  involved  the  study  of  the  component  of  risk.  Rainer  et  al.  (1991) 
used  a  four-step  framework  for  IT  risk  management — risk  identification,  risk  analysis, 
risk-reducing  measures,  and  risk  monitoring.  The  authors  stated  that  the  study  should 
help  organizations  be  more  aware  of  IT  dependence,  the  internal  and  external  sources  of 
threats,  and  be  able  to  implement  mitigation  measures. 

Some  research  studied  the  risk  assessment  and  risk  management  methods  used  in 
other  industries  for  application  in  IT.  Oren  (2008)  investigated  how  risk  assessment 
methods  from  the  nuclear,  aerospace,  and  chemical  industries  can  be  applied  to  IT.  The 
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study  involved  applying  probabilistic  risk  assessment  in  a  service-oriented  environment 
to  determine  the  reliability,  availability,  and  expected  cost  over  time.  Nikolic  et  al. 
(2009)  researched  methods  from  risk  assessment  used  in  occupational  health  for  possible 
application  to  IT.  The  study  focused  on  IT  modification  in  the  occupational  health 
workplace  and  application  with  the  aim  to  identify  and  evaluate  threats,  vulnerabilities, 
and  safety  characteristics.  The  author  concluded  IT  risk  assessment  methods  used  in 
occupational  health  sector  can  be  used  in  other  IT  areas. 

Karadsheh  (2010)  presented  a  framework  for  integrating  knowledge  management 
and  risk  management  for  IT  projects.  The  framework  provided  the  ability  to  develop 
remedial  project  management  actions  to  address  IT  project  failures. 


Table  5  Summary  of  research  on  Methods  in  IT  Risks 


Author  (Year) 

Methodology 

Synopsis 

Rainer  et  al. 
(1991) 

Combination  of 
qualitative  and 
quantitative  methods 

Combination  of  risk  methods  was  more 
flexible  and  covered  a  wider  range  of  IT  than 
a  single  method 

Oren  (2008) 

Benchmarking  IT  risk 
management  from  other 
industries 

Detennine  the  reliability,  availability,  and 
expected  cost  over  time 

Nikolic  et  al. 
(2009) 

Using  risk  assessment 
methods  from 
occupational  health  area 

IT  risk  assessment  methods  used  in 
occupational  health  sector  can  be  used  in 
other  IT  system  area 

Karadsheh 

(2010) 

Integrating  Knowledge 
Management  with  Risk 
Management 

Provided  the  ability  to  develop  remedial 
project  management  actions  to  address  IT 
project  failures 

Management  Policy. 

The  evolving  nature  of  IT  requires  policies  to  be  regularly  reviewed  and  updated. 
The  United  States  Chief  Information  Officer  (CIO)  and  DoD  CIO  is  the  responsible 
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office  for  IT  in  the  federal  government  and  the  DoD  respectively.  The  USAF  CIO 
follows  the  policies  and  guidelines  from  these  two  agencies.  Since  IT  applications  will 
be  the  same  for  private  and  federal  construction,  any  policy  that  affect  it  use  will  impact 
USAF  construction. 

Studies  into  management  policies  concerning  risk  in  IT  cover  a  wide  range  of 
research  from  management  decisions,  outsourcing,  and  legal  issues.  Researchers 
investigated  the  risks  of  outsourcing  IT  and  improving  IT  critical  infrastructure  through 
the  Trade  Practices  Law.  Bahli  (2001)  proposed  a  model  to  define  and  measure  IT 
outsourcing  risk.  The  model  was  developed  using  transaction  cost  and  IT  outsourcing 
literature.  The  author  stated  that  the  model  provided  a  systematic  understanding  of  IT 
outsourcing  risk  and  provided  a  tool  for  the  assessment  of  those  risks.  Winn  (2004) 
investigated  the  implementation  of  laws  to  require  investing  in  cyber  security  in  order  to 
protect  IT  and  CL  The  authors  conducted  a  legal  review  of  factors  that  affect  Critical 
Infrastructure  Infonnation  Systems  and  recommends  that  the  government  reform  the 
applicable  laws  to  provide  incentives  to  increase  investment  in  cyber  security. 

Kutsch  and  Hall  (2005)  studied  how  specific  risk  management  decisions  can 
determine  why  IT  project  fails.  The  study  sought  to  detennine  what  causes  IT  managers 
behavior  to  IT  to  be  different  from  what  might  be  expected.  The  researcher  found  that 
some  project  managers  tend  to  deny,  avoid,  ignore,  and  delay  dealing  with  risk.  In 
another  study,  Kutsch  and  Hall  (2009)  studied  the  degree  of  use  of  risk  management  and 
barriers  that  prevented  IT  managers  from  using  risk  management.  The  study  concluded 
that  in  some  situations,  risk  management  was  not  applied  because  of  problems  with  cost 
justification. 
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Obagbuwa  and  Chidiebere  (2009)  investigated  the  use  of  IT  as  a  tool  to  leverage 
efficiency  in  risk  management.  The  authors  studied  corporate  governance  of  Boards  of 
Directors  and  corporate  officers  to  detennine  how  IT  affects  specific  roles  in  risk 
management.  The  study  concluded  that  accessibility  to  reliable  information  is  critical  to 
decision  making. 


Table  6  Summary  of  research  on  Management  Policies  in  IT  Risks 


Author  (Year) 

Management  Policy 

Synopsis 

Bahli  (2001) 

Outsourcing  Risk 

Provided  a  systematic  understanding  of  IT 
outsourcing  risk  and  a  tool  for  risk 
assessment 

Winn  (2004) 

Review  laws  affecting 
Critical  Infrastructure 
Infonnation  Systems 

Recommends  that  the  government  reform  the 
applicable  law  to  provide  incentives  to 
increase  investment  in  cyber  security 

Kutsch  and  Hall 
(2005  ) 

Managers’  decisions  in 
risk  management 

Some  project  managers  tend  to  deny,  avoid, 
ignore,  and  delay  dealing  with  risk 

Kutsch  and  Hall 
(2009) 

Barriers  in  risk 
management 

Risk  management  may  not  be  applied 
because  of  problems  with  cost  justification 

Obagbuwa  and 

Chidiebere 

(2009) 

Use  of  IT  to  leverage 
efficiency  in  risk 
management 

Accessibility  to  reliable  information  is 
critical  to  decision  making. 

Areas  of  Application. 

IT  can  be  applied  in  almost  all  industries  and  since  the  function  of  IT  operation  is 
similar  in  all  applications,  the  research  areas  selected  are  those  that  involve  risk  similar  to 
that  found  in  construction. 

Ginzberg  and  Moulton  (1990)  stated  that  the  concept  of  IT  risk  was  too  narrow 
and  a  broader  approach  was  needed.  The  authors  studied  the  range  of  IT  risk  in 
organizations  by  first  identifying  risks  with  the  greatest  impact  and  then  expanding  the 
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scope  to  covered  the  lower  level  risks.  The  study  concluded  that  management  will  have 
to  choose  which  risk  they  want  to  minimize  based  on  the  cost  of  risk  minimization  and 
the  cost  of  consequence  minimization. 

Bandy opadhyay  et  al.  (1999)  examined  the  risk  management  needed  for 
organizations  that  invested  up  to  a  third  of  their  budget  in  IT.  The  author  stated  that  IT 
risk  management  must  be  a  major  concern  for  the  organizations’  executives  and 
recommended  a  framework  for  integrated  risk  management  be  used.  The  framework 
included  risk  identification,  risk  analysis,  risk-reducing  measures,  and  risk  monitoring. 

IT  risk  in  project  portfolio  management  was  studied  by  Drake  and  Byrd  (2006). 
Although  business  processes  is  different  from  construction  process,  the  risk  in  IT 
application  is  similar  where  it  is  used  in  the  management  of  construction  projects  folders. 
The  authors  identified  five  types  of  risk  in  the  study — strategic  alignment  risk, 
organization  and  management  risk,  culture  and  climate  risk,  project  relation  risk,  and 
financial  risk. 


Table  7  Summary  of  research  on  Areas  of  Application  in  IT  Risks 


Author  (Year) 

Area  of  Application 

Synopsis 

Ginzberg  and 

Moulton  (1990) 

Range  of  risk  in  an 
organization 

Risks  chosen  minimization  is  based  on 
the  cost  of  risk  minimization  and  the 
cost  of  consequence  minimization 

Bandyopadhyay  et 
al.  (1999) 

Risk  management 
framework  for  large 

IT  budget 
organizations 

Integrated  risk  management  framework 
based  on  risk  identification,  risk 
analysis,  risk-reducing  measures,  and 
risk  monitoring 

Drake  and  Byrd 
(2006) 

IT  risk  in  project 

portfolio 

management 

Identified  five  types  of  risk — strategic 
alignment  risk,  organization  and 
management  risk,  culture  and  climate 
risk,  project  relation  risk,  and  financial 
risk 
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Case  Studies. 


A  review  of  case  studies  involving  IT  risk  revealed  that  research  in  other  field 
represents  similar  risk  as  in  construction  applications.  Tolone  et  al.  (2008)  applied  a 
system  of  systems  approach  to  combine  various  systems  in  an  Integrated  Model 
Evaluation.  The  model  was  verified  and  validated  in  a  Fortune  100  company  where  the 
risks  from  hardware,  system  software,  business  application,  business  processes,  and 
business  units  were  integrated. 

Ronnback  and  Homlstrom  (2008)  investigated  the  role  of  IT  in  industry  risk 
management  by  studying  the  operation  of  Smurfit  Kappa  Kraftliner,  a  paper  fiber 
producing  company.  The  researchers  sought  to  detennine  the  enabling  and  inhibiting 
effects  of  IT  on  the  company’s  risk  management.  The  study  concluded  that  the 
company’s  risk  management  process  had  the  effect  of  diffusing  risk  rather  than 
containing  it.  The  company  had  to  continually  invest  more  resources  in  the  containing 
the  increasing  diffused  risk. 


Table  8  Summary  of  Case  Studies  in  IT  Risks 


Author  (Year) 

Case 

Synopsis 

Tolone  et  al. 
(2008) 

Verification  and 
validation  of  a  risk 
analysis  model  on 

Fortune  100  company 

Integration  of  risks  from  hardware, 
system  software,  business  application, 
business  processes,  and  business  units 

Ronnback  and 
Homlstrom 
(2008) 

Risk  management  of 
Smurfit  Kappa 

Kraftliner — a  paper  fiber 
producing  company 

The  company’s  risk  management  process 
had  the  effect  of  diffusing  risk  rather  than 
containing  it 
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Contract 


The  governing  directive  for  contracting  in  the  federal  and  military  construction  is 
the  Federal  Acquisition  Regulation  (FAR).  This  regulation  provides  the  legal  framework 
for  other  regulation  that  deals  with  construction  contracts.  The  United  States  Air  Force 
(USAF)  uses  Air  Force  Instructions  (AFIs),  and  Air  Force  Policy  Directives  (AFPD)  to 
incorporate  FAR  requirements  for  construction  within  its  control.  AFPD,  Installations 
and  Facilities;  AFI  32-1021,  Planning  and  Programming  Military  Construction  Projects; 
AFI  32-1022,  Planning  and  Programming  Non- Appropriated  Fund  Facility  Construction 
Projects,  and  AFI  32-1023,  Designing  and  Constructing  Military  Construction  Projects 
are  used  in  the  contracting  construction  projects. 

The  AEC  is  a  major  party  in  the  contract  process  and  share  risk  with  federal 
agencies  in  the  construction  contract.  In  addition,  legal  standards  of  contracts,  the  AEC 
must  comply  with  federal  policies.  There  are  studies  that  examine  the  methods, 
management  policies,  and  specific  areas  of  application  that  involves  the  risks  associated 
with  construction  contracts.  Some  research  examines  specific  risks  by  conducting  case 
studies.  A  summary  table  is  presented  at  the  end  of  each  section. 

Methodology. 

In  a  comprehensive  study  of  risk  allocation  in  construction  projects,  Diepenbrock 
et  al.  (2002)  examined  methods  of  restricting  liability  or  allocating  risk  to  construction 
projects.  The  authors  focused  on  design  errors,  unexpected  site  conditions,  construction 
errors  and  delays,  and  the  risks  of  payment.  The  authors  concluded  that  contract 
enforceability  from  a  legal  perspective  depends  on  the  type  of  risk  and  the  method  of  risk 
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allocation.  From  a  practical  standpoint,  contracting  parties  must  consider  who  is  in  the 
best  position  to  bear  the  risk,  which  is  based  on  having  the  best  resource. 

Tan  and  Thoen  (2002)  proposed  a  method  based  on  Risk  and  Trust  Management 
to  negotiate  and  develop  a  contract.  This  method  applies  control  mechanisms  rules  so 
contracting  parties  can  amend  existing  contracting  transaction  to  make  it  more 
appropriate  to  the  respective  risk  and  trust  assessment. 

Risk  perception  and  Bayesian  analysis  of  international  construction  contract  risk 
was  studied  by  Adams  (2008).  The  research  proposed  that  differing  perceptions  of  risk 
by  contracting  parties  affects  the  overall  risk  estimate  of  the  contract  terms.  A  Bayesian 
Analysis  validated  that  risk  perception  of  contracting  parties  from  different  socio¬ 
economic  backgrounds  affect  contract  risk  estimates. 

Lee  et  al.  (2009)  developed  a  method  for  using  decision-analysis  in  contract  risk¬ 
sharing.  The  authors  used  literature  review,  interviews,  questionnaires,  fuzzy  evaluation, 
and  current  decisions  models  in  their  analysis.  The  research  concluded  that  risk-sharing 
should  be  based  on  the  fluctuation  of  the  price  of  the  project  and  the  contracting  authority 
should  set  rights  and  obligations  with  equal  benefits  to  all  parties. 

Shane  and  Gransberg  (2010)  studied  the  coordination  of  contract  design  using  the 
Construction  Manager-at-Risk  (CMR)  in  the  project  delivery.  This  method  of  contracting 
allowed  direct  collaboration  between  the  designer  and  the  builder.  This  collaboration 
was  a  major  advantage  and  was  found  to  reduce  delivery  time  and  project  cost.  Existing 
contracting  terms  must  be  modified  to  allow  this  contracting  delivery  method. 
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Table  9  Summary  of  research  on  Methods  in  Contract  Risks 


Author  (Year) 

Research  Method 

Synopsis 

Diepenbrock  et 
al.  (2002) 

Risk  Allocation 

Identified  the  contracting  party  who  is 
best  able  to  bear  risk 

Tan  and  Thoen 
(2002) 

Risk  and  Trust 

Management 

Contracting  parties  can  amend  contract 
transaction  to  the  appropriate  level  of 
risk  and  trust 

Adams  (2008  ) 

Risk  Perception  and 
Bayesian  Analysis 

Risk  perception  at  lower  levels  affects 
the  overall  project  risk 

Lee  et  al. 

(2009) 

Risk  Sharing  Decision 
Analysis 

Contracting  authority  should  share 
rights  and  obligations  to  all  parties 
based  on  the  change  to  the  project  cost 

Shane  and 
Gransberg 
(2010) 

Construction  Manager-at- 
Risk 

Contract  modification  to  allow 
collaboration  between  designer  and 
builder  can  reduce  delivery  time  and 
project  cost 

Management  Policy. 

In  addition  to  policies  created  for  contract  requirements  under  the  FAR,  research 
have  studied  other  management  techniques  and  policies  that  involve  risk  in  construction 
contracts.  The  Defense  Contract  Audit  Agency  use  of  risk  analysis  in  contract  planning 
was  studied  by  Neuman  (1979).  The  study  focused  on  the  risk  associated  with  the 
priority  of  audits  and  the  amount  of  time  available  to  conduct  the  audit.  To  minimize  the 
risk  associated  with  the  invested  audit  time,  Neuman  (1979)  developed  a  system  to 
balance  audit  priority  and  available  audit  time. 

Dyson  (2001)  presented  a  comparative  analysis  of  a  sampling  of  risk  management 
plans  administered  by  the  Defense  Contract  Management  Agency  (DCMA).  The  study 
focused  on  the  DCMA’s  use  of  a  five-step  approach  to  risk  management  and  the 
employment  of  IT  in  its  Risk  Assessment  and  Management  Program  (RAMP).  The 
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author  recommended  that  this  program  be  implemented  throughout  the  Department  of 
Defense. 

Friedlander  (2003)  researched  the  risk  allocation  in  Design-Build  construction 
projects  by  examining  the  legal  aspects  of  the  contract.  The  author  analyzed  the 
provisions  of  the  contract  and  identified  potential  risks  to  the  contracting  parties. 
Friedlander  (2003)  concluded  that  the  contract  documents  from  organizations  such  as  the 
Design-Build  Institute  of  America  and  the  American  Institutes  of  Architects  represent 
basic  requirements  of  a  construction  contract  because  the  practices  evolved  from  the 
industry  norms  and  standards. 

Lloyd  (2010)  reviewed  the  inclusion  of  tenns  that  contracting  parties  can  use  for 
misleading  and  deceptive  claims  under  the  Trade  Practices  Act  1974.  Lloyd  focused  on 
the  problematic  nature  of  law  governing  the  delay  and  change  of  scope  of  the  contract. 
The  study  concludes  that  courts’  decision  indicates  that  parties  should  avoid  deviating 
from  the  terms  of  the  original  contract  since  there  is  no  relief  under  the  Trade  Practices 
Act. 
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Table  10  Summary  of  research  on  Management  Policies  in  Contract  Risks 


Author  (Year) 

Management  Policy 

Synopsis 

Neuman 

(1979) 

Defense  Contract  Audit 
Agency  use  of  risk  analysis 

Developed  a  system  to  balance  audit 
priority  and  available  audit  time  under 
DCAA 

Dyson  (2001) 

Defense  Contract 
Management  Agency  Risk 
Assessment  and 
Management  Program 

The  author  recommended  that  this 
program  be  implemented  throughout 
the  Department  of  Defense 

Friedlander 

(2003) 

Legal  aspects  of  Design- 
Build  contract 

Contracts  developed  from  DBIA  and 
AIA  meet  legal  requirements 

Lloyd  (2010) 

Review  of  the  Trade 

Practice  Act  1974 

Parties  should  avoid  deviating  from  the 
terms  of  the  original  contract  since 
there  is  no  relief  under  the  Trade 
Practices  Act. 

Areas  of  Application. 

Existing  research  shows  that  risk  in  contract  cover  a  wide  range  of  application  in 
construction.  Erikson  and  O’Connor  (1979)  investigated  the  assessment  of  risk  between 
the  owner  and  contractor  in  firm  fixed-price  construction  contracts.  The  authors  used 
utility  theory  to  determine  the  cost  effects  of  varying  risk  assignments  and  what  type  of 
techniques  are  used  for  contractually  assigning  risk. 

Another  area  of  application  of  research  of  risk  in  contract  focused  on  community- 
controlled  construction  contracts.  Randolph  et  al.  (1987)  evaluated  the  risk  associated 
with  construction  contract  development  and  applied  it  to  the  community  of  Lansing, 
Michigan,  United  States.  The  researchers  collected  and  analyzed  data  from  municipal 
contract  documents.  The  analysis  produced  risk  nomographs  that  management  teams  can 
use  to  determine  the  amount  of  effort  needed  to  manage  risk  for  a  particular  construction 
project. 
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Other  research  into  construction  contract  risk  investigated  the  fixed  price  of 
housing  construction  contract.  Bimie  and  Yates  (1990)  studied  the  uncertainty  of  the 
price  of  housing  construction  before  contract  negotiation.  The  research  involved 
studying  the  risk  associated  with  the  Design-Build  contract  between  owner  and 
contractor.  Birnie  and  Yates  (1990)  concluded  that  the  owner  can  make  decisions  on  the 
construction  cost  by  considering  the  risk  associated  contract  before  negotiating  a  fixed 
price. 

Adams  (2008)  studied  the  techniques  for  analyzing  risk  in  construction  contract  in 
the  United  Kingdom.  The  study  focused  on  the  effectiveness  of  existing  risk  analysis  and 
management  techniques.  Adams  detennined  that  current  methods  were  not  appropriate 
since  they  relied  heavily  on  a  single  expert  and  did  not  address  any  individual  perception 
or  bias. 


Table  11  Summary  of  research  on  Areas  of  Application  in  Contract  Risks 


Author  (Year) 

Area  of  Application 

Synopsis 

Erikson  and 

O’Connor 

(1979) 

Firm  fixed-price 
construction  contracts 

Detennined  the  cost  effects  of  varying 
risk  assignments  and  type  of  techniques 
are  used  for  contractually  assigning  risk 

Randolph  et  al. 
(1987) 

Risk  associated  with 
construction  contract 
development 

Detennine  the  amount  of  effort  needed 
to  manage  risk  for  a  particular 
construction  project 

Birnie  and 

Yates  (1990) 

Housing  construction 
before  contract  negotiation 

Owner  scan  make  decisions  on 
construction  cost  by  considering  the  risk 
associated  contract  before  negotiating  a 
fixed  price 

Adams  (2008) 

Techniques  for  analyzing 
risk  in  construction 
contract  in  the  United 
Kingdom 

Current  methods  were  not  appropriate 
since  they  relied  heavily  on  a  single 
expert  and  did  not  address  any 
individual  perception  or  bias 
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Case  Studies. 


Chapman  and  Cooper  (1985)  studied  the  risk  analysis  used  by  a  consortium  of 
engineering  consulting  firms  for  a  tum-key  electric  power  project.  The  case  study 
focused  on  the  individual  sources  of  risk  and  their  combined  effect.  The  combined  risk 
along  with  the  project  cash-flow  model  was  used  to  determine  the  range  of  the  overall 
project  cost.  Mitigation  measures  based  on  the  cost  associated  with  risk  were 
implemented  in  the  contract. 

McClelland  (1996)  investigated  the  risk  allocation  techniques  used  by  forty-four 
owners  who  obtained  construction  services.  The  author  focused  on  the  specific  contract 
clauses  and  the  varying  risk  allocation  used  by  the  different  contractors.  The  study 
concluded  that  the  variation  of  risk  allocation  was  due  to  unclear  language  and 
interpretation  of  the  contract  and  project  documents. 

Chang  (2009)  researched  the  risk  associated  with  a  tunnel  construction  contract. 
The  unpredictable  nature  of  risk  in  this  type  of  construction  and  the  accompanying 
hazards  and  accidents  frequently  produced  contract  disputes.  Chang  (2009)  proposed  a 
modification  of  the  current  contract  process  to  develop  an  optimal  risk  sharing  technique 
from  a  contract  administration  perspective.  The  risk  sharing  techniques  was  used  to 
reduce  contractual  disputes,  mitigate  risk,  and  lower  cost  of  damages  and  losses. 
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Table  12  Summary  of  Case  Studies  of  Contract  Risks 


Author  (Year) 

Case 

Synopsis 

Chapman  and 
Cooper  (1985) 

Tum-key  electric  power 
project 

Mitigation  measures  based  on  the  cost 
associated  with  risk  were  implemented 
in  the  contract 

McClelland 

(1996) 

Owners  using  construction 
services 

Variation  of  risk  allocation  was  due  to 
unclear  language  and  interpretation  of 
the  contract  and  project  documents 

Chang  (2009) 

Tunnel  construction 

contract 

Risk  sharing  techniques  was  used  to 
reduce  contractual  disputes,  mitigate 
risk,  and  lower  cost  of  damages  and 
losses 

Cost  Risk 

Since  cost  is  an  overriding  factor  in  all  aspects  of  construction  and  plays  a  critical 
role  in  risk  through  mitigation  cost  and  consequential  cost,  there  is  a  wide  range  of 
research  on  various  aspects  of  cost  in  risk.  A  summary  table  is  presented  at  the  end  of 
each  section. 

Methodology. 

A  widely  used  methodology  to  study  risk  cost  involved  the  application  of 
statistical  techniques.  Balci  and  Sargent  (1981)  developed  a  model  for  cost-risk  analysis 
based  on  Hotelling’s  two-sample  T2test.  This  method  was  used  to  construct  the 
relationship  among  project  risk,  cost,  and  data  when  simulation  involves  statistical 
hypothesis  testing. 

Hulett  (2002)  developed  a  cost-risk  estimation  using  Monte  Carlo  simulation  to 
determine  more  accurate  total  cost  estimates.  The  study  revealed  that  the  model  was 
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more  accurate  than  tradition  methods  since  data  used  tradition  methods  of  estimation 
were  not  certain. 

One  of  the  most  widely  used  techniques  for  studying  cost  and  risk  involves  some 
form  of  fuzzy  decisions  framework.  Baloi  and  Price  (2003)  used  fuzzy  decision 
framework  to  model  global  risk  factors.  The  model  was  based  on  an  evaluation  of 
decision-making  technologies  and  management  science  techniques.  The  authors 
indicated  that  the  model  was  viable  for  global  risk  factors. 

Dikmen  et  al.  (2007)  used  fuzzy  risk  assessment  to  rate  cost  overruns  in 
international  construction  projects.  Dikmen  et  al.  (2007)  created  a  computerized  system 
for  an  international  construction  company  and  successfully  tested  it  with  real  data  during 
the  bidding  stage  of  a  construction  contract.  Rohman  et  al.  (2008)  presented  a 
methodology  and  computer  model  based  on  risk  analysis  and  fuzzy  expert  system  to 
estimate  contingency  cost  for  a  project.  The  model  incorporated  contractors’  experience 
and  judgment  and  was  validated  using  data  from  four  projects.  Chan  et  al.  (20 1 1)  also 
developed  a  fuzzy  risk  assessment  for  use  in  construction  projects  with  guaranteed 
maximum  price  and  target  cost  contracts.  Chan  et  al.  (201 1)  identified  key  risk  factors 
from  empirical  questionnaires  and  categorized  them  into  groups.  The  authors  suggested 
that  the  model  provide  a  strong  platform  to  measure,  evaluate,  and  mitigate  risk  level 
based  on  the  objective  evidence  rather  than  subject  judgment. 

Stuparu  et  al.  (2010)  studied  probability  distribution  in  cost-risk  analysis  to 
identify  the  most  probable  threat  to  an  organization.  The  study  produced  a  risk  analysis 
process  for  the  foundation  of  recovery  planning. 


27 


In  another  research,  Clark  and  Hamilton  (2007)  investigated  the  use  of  Crystal 


Ball  Software  for  cost-risk  analysis  in  government  cost  estimations.  The  research 
showed  that  the  software  was  effective  in  accomplishing  cost-risk  analysis  based  on  life 
cycle  costs. 


Table  13  Summary  of  research  on  Methods  in  Cost  Risk 


Author  (Year) 

Research  Method 

Synopsis 

Balci  and 
Sargent (1981) 

Hotelling’s  two-sample 

T2  test 

Constructed  the  relationship  among 
project  risk,  cost,  and  data  when 
simulation  involves  statistical  hypothesis 
testing 

Hulett  (2002) 

Cost-risk  estimation 
using  Monte  Carlo 
simulation 

Developed  a  model  that  was  more 
accurate  than  tradition  methods  since  data 
used  tradition  methods  of  estimation  were 
not  certain 

Baloi  and  Price 
(2003) 

Fuzzy  decision 
framework 

Developed  framework  to  model  global 
risk  factors 

Clark  and 
Hamilton 
(2007) 

Crystal  Ball  Software  for 
cost-risk  analysis 

Software  was  effective  in  accomplishing 
cost-risk  analysis  based  on  life  cycle  costs 

Dikmen  et  al. 
(2007) 

Fuzzy  risk  management 

Rated  cost  overruns  in  international 
construction  projects 

Rohman  et  al. 
(2008) 

Fuzzy  expert  system 

Incorporated  contractors’  experience  and 
judgment  to  estimate  contingency  cost  for 
a  project 

Stuparu  et  al. 
(2010) 

Probability  distribution  in 
cost-risk  analysis 

Produced  a  risk  analysis  process  for  the 
foundation  of  recovery  planning 

Chan  et  al. 
(2011) 

Fuzzy  risk  management 

Developed  a  model  to  provide  a  strong 
platfonn  to  measure,  evaluate,  and 
mitigate  risk  level  based  on  the  objective 
evidence  rather  than  subject  judgment 

Management  Policy. 

The  prevailing  management  policy  for  risk  cost  in  construction  is  published  by  the 
DoD  and  the  USAF.  These  policies  provide  guidance  for  cost-risk  in  USAF  operations  to 
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include  construction.  Lurie  et  al.  (1993)  authored^  Handbook  of  Cost  Risk  Analysis 
Methods  for  the  Institute  of  Defense  Analysis  (IDA).  The  handbook  was  intended  to  be  a 
guide  for  IDA  analysts  working  for  the  DoD  and  other  government  agencies.  Goldberg 
and  Weber  (1998)  authored  The  Evaluation  of  Risk  Analysis  and  Cost  Management 
(RACM)  Model  also  for  the  IDA.  Goldberg  and  Weber  (1998)  recommended  the  RACM 
Model  be  used  to  supplement  the  risk  analysis  and  management  program  in  the  defense 
industry. 

Nibley  and  Dyer  (2000)  studied  the  issues  in  risk  analysis  and  cost  containment 
involved  in  the  procurement  of  major  construction  projects  by  international  governments. 
The  authors’  research  focused  on  the  most  significant  risk  involved  in  the  contracting  of 
major  construction  projects  by  national  governments.  The  study  revealed  the  risk  that 
government  and  contractors  faced  in  international  construction. 

Covert  (2005)  created  a  presentation  for  the  DoD  Cost  Analysis  Symposium,  which 
outline  current  status  of  cost  risk  analysis  in  the  DoD  and  recommended  particular  areas 
for  budget  allocation. 
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Table  14  Summary  of  research  on  Management  Policies  in  Cost  Risk 


Author  (Year) 

Management  Policy 

Synopsis 

Lurie  et  al. 
(1993) 

A  Handbook  of  Cost  Risk 
Analysis  Methods 

Intended  to  be  a  guide  for  IDA  analysts 
working  for  the  DoD  and  other 
government  agencies 

Goldberg  and 
Weber  (1998) 

Evaluation  of  Risk 

Analysis  and  Cost 
Management  (RACM) 
Model 

Recommended  the  RACM  Model  be 
used  to  supplement  the  risk  analysis  and 
management  program  in  the  defense 
industry 

Dyer  (2000) 

Contracting  of  major 
construction  projects  by 
national  government 

Revealed  the  risk  that  government  and 
contractors  faced  in  international 
construction 

Covert  (2005) 

Presentation  to  the  DoD 

Cost  Analysis  Symposium 

Outlined  current  status  of  cost  risk 
analysis  in  the  DoD  and  recommended 
particular  areas  for  budget  allocation 

Areas  of  Application. 

A  review  of  existing  research  reveal  that  the  main  areas  of  application  for  risk 
cost  studies  involved  contingency,  evaluation  of  services,  estimating  and  forecasting,  and 
total  contract  cost. 

Cooper  et  al.  (1985)  and  Touran  (2003)  studied  contingency  as  it  relates  to  risk 
cost.  Cooper  et  al.  (1985)  research  involved  an  independent  check  of  reliability  of  project 
estimates  and  the  adequacy  of  contingency  allowance.  Touran  studied  the  random  nature 
of  construction  change  orders  and  incorporated  uncertainties  of  project  cost  to  calculate 
project  contingency. 

Ellis  and  Wood  (2001)  investigated  the  risk  management  services  provided  by 
engineering  consultants  for  construction  projects  in  the  United  Kingdom.  The  study 
involved  examining  the  Risk  Management  (RM)  Services  performed  throughout  the 
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organization.  The  authors  discovered  that  (RM)  services  typically  translated  risk  as  a 
cost  and  the  client  must  detennine  how  to  apply  the  cost  of  risk  to  the  overall  project  cost. 

Abdou  et  al.  (2004)  reviewed  the  different  approaches  of  modeling  risk  in  cost 
estimating  and  forecasting  that  is  used  in  construction.  The  review  presented  an 
understanding  of  the  sources  of  risk  and  uncertainty  by  identifying  and  classifying  the 
risk.  The  project  owner  can  then  choose  the  best  method  from  the  project  parameters  and 
related  historical  data. 

Uncertainty  in  construction  was  studied  by  Odeyinka  et  al.  (2006)  to  assess  risk 
impacts  on  the  overall  construction  cost.  The  authors  found  that  the  major  uncertainty 
risk  factors  were  caused  by  financial,  political,  and  physical  conditions. 


Table  15  Summary  of  research  on  Areas  of  Application  in  Cost  Risks 


Author  (Year) 

Area  of  Application 

Synopsis 

Cooper  et  al. 
(1985) 

Project  Contingency 

Independent  check  of  reliability  of 
project  estimates  and  the  adequacy  of 
contingency  allowance 

Ellis  and  Wood 
(2001) 

Risk  management  services 

RM  services  typically  translated  risk  as 
a  cost  and  the  client  must  determine 
how  to  apply  the  cost  of  risk  to  the 
overall  project  cost 

Touran  (2003) 

Construction  change  orders 

Incorporated  uncertainties  of  project 
cost  to  calculate  project  contingency 

Abdou  et  al. 
(2004) 

Cost  estimating  and 
forecasting 

Owner  can  then  choose  the  best  risk 
management  method  from  the  project 
parameters  and  related  historical  data 

Odeyinka  et  al. 
(2006) 

Uncertainty  in  construction 

Major  uncertainty  risk  factors  were 
caused  by  financial,  political,  and 
physical  conditions 
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Case  Studies. 


Vidalis  (2005)  studied  the  relationship  between  cost,  quality,  and  risk  in  Portland 
concrete  pavement  construction.  The  research  involved  studying  the  current  process  that 
contractors  use  for  bidding  on  concrete  pavement  construction  projects.  The  study 
revealed  that  a  computer  program  can  be  created  to  incorporate  risk  and  probability  to 
achieve  overall  quality  target  for  the  project.  The  contractor  can  then  balance  the  risk 
involved  in  project  quality  and  bidding  price. 

Greedy  (2006)  investigated  risk  factors  leading  to  cost  overruns  in  the  delivery  of 
highway  construction  projects.  The  author  analyzed  completed  highway  projects  that  had 
cost  overruns  to  determine  the  how  the  initial  budget  was  wrong  and  to  identify  the  risk 
associated  with  the  overruns.  The  case  study  indicated  that  there  is  a  reciprocal 
relationship  between  the  project  budget  size  and  the  percentage  of  cost  overruns  that  the 
client  can  use  to  determine  more  accurate  cost  estimates. 


Table  16  Summary  of  Case  Studies  of  Cost  Risks 


Author  (Year) 

Case 

Synopsis 

Vidalis  (2005) 

Portland  concrete 
pavement  construction 

Incorporated  risk  and  probability  to 
achieve  overall  quality  target  so  the 
contractor  can  balance  the  risk  involved 
in  project  quality  and  bidding  price. 

Greedy  (2006) 

Risk  factors  leading  to  cost 
overruns  in  the  delivery  of 
highway  construction 
projects 

There  is  a  reciprocal  relationship 
between  the  project  budget  size  and  the 
percentage  of  cost  overruns  that  the 
client  can  use  to  determine  more 
accurate  cost  estimates 
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Summary 


The  research  in  risks  associated  with  construction  covers  a  wide  range  of  studies 
of  risk  analysis  and  risk  management.  The  research  provides  valuable  information  that 
can  be  directly  applied  to  federal  construction  since  the  construction  process  is  the 
similar.  Non-federal  construction  is  almost  identical  to  federal  construction  since  the 
building  science  used  by  the  AEC  Industry  is  applied  to  all  construction.  Therefore  the 
risks  associated  with  any  type  of  construction  will  also  be  similar  and  the  research 
methods  and  areas  of  application  used  in  the  study  of  risk  can  be  seamlessly  applied  to 
federal  construction. 

The  main  difference  in  non-federal  and  federal  construction  from  the  literature 
review  involves  management  policies.  Federal  construction  is  governed  by  US 
Government  regulations  and  for  the  USAF;  there  are  also  DoD  and  USAF  guidelines. 
These  policies  are  in  addition  to  the  standards  building  codes  and  practices  that  are  the 
nonn  in  the  construction  industry. 

Federal  construction  also  has  additional  factors  that  must  be  considered  for  risk 
management.  The  four  major  components  of  USAF  construction— Cl,  IT,  contract,  and 
cost  have  unique  requirements.  The  majority  of  USAF  construction  can  be  considered  a 
CIs  since  it  is  a  system  or  subsystem  of  a  CL  The  IT  requirements  are  more  stringent 
because  it  operates  within  a  secured  network.  The  contract  is  covered  by  the  FAR  and  is 
managed  by  the  USAGE  on  behalf  of  the  USAF.  The  cost  is  fixed  and  must  be  approved 
by  the  US  Congress. 
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The  range  of  research  into  risk  management  in  construction  provides  studies  that 
can  be  applied  to  federal  construction  but  because  of  some  unique  requirements,  there  are 
some  limitations  of  applicability  to  MILCON. 
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Mission  Assurance  Implications  for  Federal  Construction 
by  Building  Information  Modeling  Implementation 


Abstract 

The  increasing  use  of  Building  Information  Modeling  in  the  commercial  sector 
has  affected  construction  in  the  federal  sector.  The  Architecture,  Engineering,  and 
Construction  Industry  perform  design  and  construction  for  federal  agencies  and  using 
Building  Information  Modeling  will  impact  the  federal  construction  process.  Building 
Information  Modeling  is  a  design  process  that  operates  in  an  information  technology 
environment.  It  contains  dynamic  and  interactive  features  that  allow  for  greater 
efficiency  in  the  design  and  construction  of  a  facility.  However,  the  use  of  Building 
Information  Modeling  in  federal  construction  does  present  some  degree  of  risk  because  of 
these  features.  The  authors  identified  potential  security  risks  associated  with  its 
implementation  by  studying  the  United  States  Air  Force  Military  Construction  process. 

As  risks  were  identified,  mitigation  measures  were  recommended.  Federal  agencies 
involved  in  construction  must  be  cognizant  of  these  risks  and  their  related  costs 

Key  words:  Building  Information  Modeling,  Military  Construction,  Federal 
Construction,  Mission  Assurance,  Critical  Infrastructure,  Risk 
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Introduction 


As  the  use  of  Information  Technology  (IT)  in  construction  becomes  more 
widespread  in  the  Architecture,  Engineering,  and  Construction  (AEC)  industry,  it  will 
impact  federal  construction  (Suennann,  2009).  Most  communication  between  AEC  firms 
and  federal  agencies  are  done  electronically;  these  communications  include  solicitation, 
proposals,  contract  documents,  and  project  designs.  Solicitation  is  done  by  advertising 
project  requirements  on  the  website  https://www.fbo.gov/  (Federal  Business 
Opportunities,  2011).  AEC  firms  interested  in  the  project  must  register  for  access  to  the 
site  and  can  submit  their  proposal  electronically.  When  an  AEC  firm  is  selected  for  a 
project,  electronic  exchange  of  contract  documents  between  the  AEC  firm  and  federal 
agencies  begin  (USAGE,  2010).  This  communication  grows  to  include  the  project  design 
drawings,  bill  of  material,  schedules,  cost  estimates,  personnel  information,  and  other 
construction  information.  The  security  of  these  sensitive  communications  relies  heavily 
on  the  IT  infrastructure  and  security  protocols  (Information  Assurance  Technology 
Analysis  Center,  2009). 

Since  Building  Information  Modeling  (BIM)  is  considered  the  next  generation  of 
design  technology  (Eastman  et  ah,  2008),  its  functionality  depends  on  the  robustness  of 
the  IT  system  that  supports  it  (Fumeaux  and  Kivits,  2008).  BIM  will  also  be  affected  by 
existing  IT  infrastructure  and  security  protocols.  The  consequences  of  compromised 
BIM  data  will  be  more  significant  than  conventional  design  since  BIM  contains  much 
more  details  of  the  project  in  a  single  model.  These  details  include  a  3-dimensional  (3D) 
model  of  the  facility,  bill  of  material,  schedules,  cost  infonnation,  and  interactive  design 
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attributes.  The  risks  associated  with  facility  design  using  BIM  is  of  greater  concern  to 
federal  agencies  like  the  Department  of  Defense,  who  invests  a  significant  amount  of 
money  on  critical  infrastructure,  which  is  expected  to  be  secure  and  not  prone  to  security 
breaches. 

The  Department  of  Defense  Military  Construction  (MILCON)  Budget  represents 
a  large  amount  of  construction  business  for  the  AEC  Industry  with  an  annual  average  of 
over  $15  billion  for  the  past  10  years  (Office  of  the  Undersecretary  of  Defense,  2010). 
AEC  firms  attempt  to  be  most  efficient  in  their  construction  process  to  be  competitive  for 
federal  construction  projects.  At  the  same  time,  federal  agencies  seek  to  obtain  the  best 
value  for  the  Government  when  awarding  contracts  for  construction  projects  (USAGE, 
2010).  BIM  offers  a  method  to  effectively  design  a  facility  while  maximizing  work 
performance  during  construction  (Eastman  et  ah,  2008).  For  these  reasons,  the  AEC 
Industry  and  federal  agencies,  including  the  United  States  Air  Force  (USAF)  and  United 
States  Anny  Corps  of  Engineers  (USACE),  are  currently  implementing  policies  to  require 
the  use  of  BIM  in  the  design  and  construction  of  federal  facilities  (Air  Force  Center  for 
Engineering  and  the  Environment,  2010).  BIM  offers  the  ability  to  design  a  3D  model  of 
a  facility  that  exists  in  a  dynamic,  interactive  environment.  BIM  models  are  very  detailed 
and  show  every  aspect  of  the  facility  (Eastman  et  ah,  2008).  The  power  of  BIM  to 
produce  precise  and  accurate  design  details  poses  a  security  risk  to  the  federal 
construction  process  by  allowing  details  not  available  in  conventional  2-dimensional  (2D) 
design  to  be  made  public.  The  concern  is  greater  if  the  facility  is  one  that  handles 
confidential  or  classified  information  such  as  embassies  and  intelligence  operations 
(Public  Law,  2002). 
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This  paper  examines  the  potential  risk  to  mission  assurance  involved  in 
implementing  BIM  in  the  federal  construction  process.  The  study  will  focus  on  the 
MILCON  program  used  by  the  USAF  where  the  USAGE  performs  the  contracting  and 
project  management  function  for  military  services.  The  USACE  coordinates  with  the 
selected  AEG  firm  to  execute  the  construction  of  the  facility  on  behalf  of  the  USAF 
(Furneaux  and  Kivits,  2008). 

What  is  BIM? 

BIM  is  a  design  process  that  produces  an  infonnational  model  of  a  facility;  BIM 
is  not  considered  a  product  (Eastman  et  ah,  2008).  The  model  is  “a  computable 
representation  of  the  physical  and  functional  characteristics  of  a  facility”  (Eastman  et  ah, 
2008)  and  is  made  up  of  objects  represented  by  graphical  lines,  shapes,  and  symbols.  The 
objects  contain  attributes  with  specific  properties  such  as  product  information,  solid  or 
void  spaces,  material  specification,  and  space  orientation.  These  objects  allow  the  model 
to  be  conceptual  in  nature  or  detailed  enough  for  construction.  BIM  also  provides  tools 
for  selecting,  extracting,  and  editing  the  objects'  characteristics.  The  ability  to  select  and 
manipulate  objects  in  the  model  allows  for  the  viewing  of  specific  sections  of  the  model 
from  different  orientations.  The  selected  objects  remain  consistent  in  size  and  location  in 
all  views.  This  consistency  eliminates  these  types  of  errors  that  occur  in  2D  modeling. 

BIM  also  defines  objects  parametrically  so  that  they  serve  as  parameters  in 
relation  to  other  objects.  This  feature  allows  for  universal  editing  of  an  object's  property; 
if  a  change  is  made  in  one  object,  parametric-related  objects  would  automatically  change 
based  on  the  properties  programmed  in  the  original  objects  (Eastman  et  ah,  2008).  Any 
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change  is  updated  in  the  entire  model;  these  changes  can  be  as  complex  as  material 
specification  or  simple  as  paint  color. 

The  properties  of  objects  in  BIM  are  also  computable,  which  allows  for  cost 
estimation,  creation  of  bills  of  material,  and  clash  detection  before  any  construction 
begins.  The  computability  feature  can  also  be  used  to  analyze  energy  use,  lighting, 
acoustics,  heating,  and  other  features  that  will  exist  when  the  facility  is  complete.  These 
capabilities  allow  for  better  collaboration  during  the  design  process  whereby  owners  and 
the  AEC  firm  can  explore  configuration  possibilities.  Since  BIM  exists  in  an  dynamic 
and  interactive  environment,  designers,  engineers,  contractors,  and  subcontractors  can 
view  the  model  in  real  time  and  detennine  how  changes  would  affect  their  part  of  the 
construction. 

The  current  process  of  facility  design  uses  2D  drawings,  which  are  created  by 
computer-aided  design  (CAD)  software.  These  techniques  produce  an  electronic  2D 
drawing  that  can  be  transmitted  electronically  or  printed  on  paper  (Eastman  et  ah,  2008). 
The  use  of  conventional  design  methods  do  present  some  risk,  because  it  contains 
information  needed  to  construct  a  facility.  However,  the  risk  is  considered  low  since 
multiple  sets  of  drawings  are  required  to  produce  a  complete  model. 

The  conventional  design  exists  in  electronic  or  paper  format  and  is  not  as  easily 
visualized  as  in  a  3D  model.  Although  the  2D  design  process  creates  and  represents  all 
the  infonnation  needed  for  the  facility,  this  infonnation  exists  in  separate  and  distinct 
drawings.  It  is  difficult  to  conceptualize  a  facility  and  its  component  systems  from  a  set 
of  2D  drawings.  The  2D  modeling  process  does  not  have  the  ability  to  select  or  deselect 
various  attributes  of  the  design.  Designers  and  engineers  incorporate  changes  in  2D 
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design  by  editing  paper  copies  and  submitting  them  to  the  design  owner  or  CAD  operator 
for  revision. 

The  capabilities  of  BIM  may  affect  the  way  in  which  the  federal  construction 
process  works,  so  its  implementation  must  be  considered  at  all  steps  in  the  construction 
process.  The  USAF  MILCON  process  includes  Requirements,  Programming,  Funding, 
Solicitation,  AEC  Evaluation,  Award,  Project  Validation,  Design  and  Construction,  and 
Project  Management  (USAGE,  2010;  AFI  32-1023,  2010).  Risks  can  be  identified  by 
studying  these  steps. 

MILCON  Process 

Figure  1  shows  the  major  steps  of  the  MILCON  process,  which  are  broadly 
classified  into  three  phases  for  this  study:  the  Conception  Phase,  the  Planning  Phase,  and 
the  Execution  Phase.  The  areas  of  control  for  the  USAF,  the  USAGE,  and  AEC  are 
shown  on  the  horizontal  tracks.  These  three  entities  play  specific  roles  in  the 
construction  of  federal  facilities  and  must  follow  federal  contracting  and  construction 
requirements.  The  USAF,  as  the  main  customer,  is  involved  in  all  aspects  of  the 
MILCON  process.  The  USAGE  becomes  involved  once  the  project  is  funded,  and  the 
AEC  firm  is  involved  in  the  Solicitation,  Project  Validation,  and  Design-Build  Steps 
(USACE,  2010;  AFI  32-1023,  2010). 

Figure  1  also  shows  the  steps  of  the  MILCON  process  where  BIM  is  used;  these 
steps  are  highlighted  by  hatch  marks  and  only  these  steps  will  be  evaluated  and  given  a 
risk  rating.  As  risks  are  identified,  the  corresponding  ratings  are  determined  by  using  the 
levels  of  Threat,  Vulnerability,  and  Consequence  for  that  particular  step. 
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Conception  Phase. 

The  Conception  Phase  consists  of  the  Requirements,  Programming,  and  Funding 
Steps.  BIM  is  not  used  in  these  steps. 

Requirements:  Translates  a  need  or  request  for  a  facility  into  quantifiable 
requirement  documents. 

Programming:  Develops  justification  for  the  facility  request  and  seeks  approval. 

Funding:  All  MILCON  projects  must  be  approved  by  the  United  States  Congress 
(USAGE,  2010;  AFI  32-1023,  2010).  For  this  reason,  the  project  request  is  vetted  and 
prioritized  at  several  levels  before  it  can  be  funded.  After  Funding,  the  project  moves  to 
the  Planning  Phase. 

Planning  Phase. 

The  Planning  Phase  includes  the  Solicitation,  AEC  Evaluation,  and  Award  Steps. 
In  this  Phase,  BIM  is  only  used  in  the  Solicitation  and  the  AEC  Evaluation  steps. 
Solicitation:  Advertises  the  project  and  requests  bids  from  interested  AEC  firms. 

AEC  Evaluation:  Representatives  from  the  USAF  and  the  USACE  evaluate  bids  from 
the  AEC  firms  and  selects  the  bid  that  is  deemed  the  best  value  to  the  US  Government. 
Award:  Announces  which  AEC  firm  was  selected  for  the  project.  The  AEC  firm  signs  a 
contract  with  the  Government,  through  the  USACE,  for  the  design  and  construction  of 
the  facility. 
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Figure  1  MILCON  Process  Flow  and  Areas  of  Control 
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Execution  Phase. 


The  Execution  Phase  consists  of  Project  Validation,  Design-Build,  and  Project 
Management  Steps.  Extensive  BIM  use  occurs  in  this  phase  of  the  MILCON  process. 

Project  Validation:  Details  of  the  project  and  contract  requirements  are 
coordinated  among  the  USAF,  the  USAGE,  and  the  AEG  firm. 

Design-Build:  The  facility  design  begins  and  certain  type  of  construction,  such  as 
site  preparation,  may  start.  The  design  may  go  through  several  iterations  before  a  final 
design  is  approved. 

Project  Management:  USAGE  manages  all  aspects  of  the  construction  and 
coordinates  with  the  USAFE  to  resolve  any  issues. 

Risk 


The  risk  of  using  BIM  in  federal  construction  occurs  at  several  key  steps  in  the 
process.  The  risk  is  determined  by  the  factors  involved  at  these  steps  or  by  the  entity 
controlling  the  steps  or  a  combination  of  factors  and  control.  The  risk  of  compromise  of 
the  facility  design  can  be  due  to  the  IT  requirements  of  BIM  within  an  agency  or 
communication  between  agencies.  Risk  also  arises  from  contractual  requirements  of  the 
federal  acquisition  process,  which  requires  communication  of  design  information  that 
introduces  additional  risk  (USAGE,  2010;  AFI  32-1023,  2010).  The  risk  involved  in 
using  BIM  in  the  MILCON  process  will  vary  for  each  phase  of  the  MILCON  process  and 
will  also  vary  from  one  agency  to  another.  From  a  security  perspective,  the  USAF  and 
USACE  primary  concern  is  the  compromise  of  the  design  and  construction  of  the  facility. 
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However,  the  AEC  firms  may  be  more  concerned  with  protecting  their  design  and  bid 
details  from  their  competitors. 

BIM  is  not  involved  in  the  MILCON  process  until  interested  AEC  firms  submit 

proposals  for  the  construction  project.  From  this  point,  the  risks  involved  in  using  BIM 

begin.  However,  until  the  Government  selects  an  AEC  firm,  the  risk  rests  mainly  on  the 

AEC  firm  submitting  the  proposal.  Personnel  representing  the  Government  must  be 

aware  of  the  risks  presented  by  BIM  use  at  this  point  and  ensure  security  measures  are  in 

place.  The  risks  associated  with  the  steps  under  the  USAF  control  are  minimal  since 

BIM  is  not  used  in  these  steps.  The  risk  associated  with  the  steps  under  the  US  ACE  and 

USAF  is  higher,  because  the  Solicitation,  AEC  Review,  and  Award  Steps  require  the  use 

of  BIM.  After  the  contract  is  awarded,  the  risk  factors  become  more  significant  since 

BIM  becomes  a  major  part  of  the  construction  process  and  is  most  critical  at  the  design 

phase  where  it  is  used  extensively. 

Risk  is  an  integration  of  threat,  vulnerability,  and  consequence: 

“ Threat  is  a  measure  of  the  likelihood  that  a  specific  type  of  attack  will  be 
initiated  against  a  specific  target. 

Vulnerability  is  a  measure  of  the  likelihood  that  various  types  of  safeguards 
against  threat  scenarios  will  fail. 

Consequence  is  the  magnitude  of  the  negative  effects  if  the  attack  is  successful” 
(Volpe  Center,  2003). 

The  Volpe  Center  represents  this  relationship  with  the  following  formula  (Volpe  Center, 
2003): 

Risk  =  Threat  x  Vulnerability  x  Consequence  (1) 

Recent  research  has  shown  that  there  are  limitations  to  this  formula  when  considering 
terrorists  attacks  and  that  risk  is  a  function  of  its  three  components  (Cox,  2008): 
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Risk  =/  (Threat,  Vulnerability,  Consequence) 


(2) 


However,  the  depth  of  research  needed  to  study  this  concept  is  beyond  the  scope  of  this 
paper  and  the  authors  used  a  modified  version  of  Formula  (1): 

Risk  =  Threat  +  Vulnerability  +  Consequence  (3) 

The  risk  for  each  step  in  the  MILCON  process  is  evaluated  using  this  formula  where 
values  are  assigned  to  the  probability  of  occurrence  of  the  Threat,  Vulnerability,  and 
Consequence  based  on  the  Likert  Scale  (Trochim,  2006).  The  values  and  ratings  are 
shown  in  Table  17.  The  cumulative  value  obtained  from  the  formula  is  then  used  to 
determine  a  value  for  the  risk  and  its  corresponding  rating.  These  values  and  ratings  are 
also  based  on  Likert  Scaling  and  are  shown  in  Table  18. 


Table  17  Rating  for  risk  and  its  components 


Possibility  of  Occurrence 

Threat,  Vulnerability,  Consequence 

RISK 

Threat  +  Vulnerability  +  Consequence 

Possibility 

Value 

Rating 

RISK 

Value 

Risk 

Rating 

Very  Unlikely 

1 

Very  Low 

1-3 

Very  Low 

Unlikely 

2 

Low 

4-6 

Low 

Possible 

3 

Medium 

7-9 

Medium 

Likely 

4 

High 

10-  12 

Very  Likely 

5 

Very  High 

13  -  15 

Interception  of  design. 

Threat:  Since  BIM  exists  in  an  electronic  format,  there  is  the  possibility  that  it 
may  be  intercepted  during  transmittal. 
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Vulnerability:  The  use  of  electronic  communication  makes  any  transmission 
vulnerable  to  interception.  The  degree  of  vulnerability  will  depend  on  the  network 
security  of  each  user;  the  vulnerability  will  be  based  on  the  weakest  security  system. 

Consequence:  The  consequence  of  interception  can  range  from  loss  of 
confidentiality  of  the  design  and  contract  information  to  deliberate  sabotage  of  the  BIM 
model.  These  situations  may  arise  from  competition  among  contractors  or  acts  by 
terrorist  groups. 

Recommended  Mitigation  Measures :  AEC  firms  should  employ  electronic 
security  protocols  to  reduce  the  chances  of  the  design  being  intercepted.  The 
communication  link  should  be  secured  to  deny  unauthorized  access  to  the  BIM  server. 
Personnel  who  evaluate  bids  must  employ  strict  control  over  the  BIM  information  to 
avoid  compromising  any  bids. 

Unauthorized  distribution. 

Threat:  Unauthorized  Distribution  may  allow  a  facility  design  to  reach 
unintended  or  unauthorized  people  or  groups. 

Vulnerability:  Distribution  to  unapproved  or  unknown  parties  may  occur  because 
of  the  ease  of  sending  data  electronically.  This  distribution  may  occur  inadvertently  or 
deliberately. 

Consequence:  Unauthorized  distribution  can  result  in  the  loss  of  confidentiality  of 
design  and  contracting  information.  Since  unauthorized  or  unintended  recipients  may  not 
be  identified,  the  facility  information  is  deemed  compromised. 

Recommended  Mitigation  Measures:  A  distribution  list  of  people  authorized  to 
send  and  receive  BIM  information  should  be  created  and  updated  periodically.  The 
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number  of  people  on  this  list  should  be  kept  at  a  minimum  and  only  include  people  who 
need  to  send  and  receive  BIM  information.  The  information  itself  should  be  encrypted  so 
that  in  the  event  unauthorized  parties  receive  it,  they  will  not  be  able  to  access  it. 

Unauthorized  Access  to  BIM  Design. 

Threat:  Unauthorized  access  is  a  widespread  threat,  because  it  can  occur 
anywhere  the  design  exists  and  may  result  in  unauthorized  distribution  and  changes  to  the 
existing  design. 
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Table  18  Risk  associated  with  BIM  use 


MILCON  Process  Steps  Using  BIM 

RISK 

Solicitation 

AEC  Evaluation 

Project  Validation 

Design-Build 

Project  Management 

A. 

Unauthorized 

Interception 

Threat  =  2  —*■  L 
Vulnerability  =  2  — >  L 
Consequence  =  2  — ►  L 

Threat  =  2  — ►  L 
Vulnerability  =  3  — >  M 
Consequence  =  3  — »  M 

Threat  =  2  — ►  L 
Vulnerability  =  2  — >  L 
Consequence  =  2  — >  L 

Threat  =  4  — ►  H 
Vulnerability  =  5  — >  VH 
Consequence  =  4  — >  H 

Threat  =  4  — >  H 
Vulnerability  =  4  — >  H 
Consequence  =  2  — >  L 

RISK  =  6  — >  LOW 

RISK  =  8  -*•  MEDIUM 

RISK=  6  — ►  LOW 

RISK  =  13  -*• 

RISK  =  10-»^H 

B. 

Unauthorized 

Distribution 

Threat  =  2  — ►  L 
Vulnerability  =  2  — >  L 
Consequence  =  2  — >  L 

Threat  =  2  — >  L 
Vulnerability  =  3  — >  M 
Consequence  =  3  — >  M 

Threat  =  2  — ►  L 
Vulnerability  =  3  — ►  M 
Consequence  =  3  — ►  M 

Threat  =  4  — >  H 
Vulnerability  =  5  — >  VH 
Consequence  =  4  — >  H 

Threat  =  4  — ►  H 
Vulnerability  =  4  — ►  H 
Consequence  =  2  — ►  L 

RISK  =  6  — >  LOW 

RISK  =  8  -►  MEDIUM 

RISK  =  8  —>  MEDIUM 

RISK  =  13 

RISK  = 

C. 

Unauthorized 

Access 

Threat  =  2  —>L 
Vulnerability  =  2  — ►  L 
Consequence  =  3  — >  M 

Threat  =  2  — »  L 
Vulnerability  =  2  — >  L 
Consequence  =  3  — >  M 

Threat  =  2  — >  L 
Vulnerability  =  3  — »  M 
Consequence  =  2  — >  L 

Threat  =  4  — >  H 
Vulnerability  =  4  — »  H 
Consequence  =  4  — >  H 

Threat  =  2  — ►  L 
Vulnerability  =  2  — ►  L 
Consequence  =  2  — ►  L 

RISK  =  7  ->  MEDIUM 

RISK  =  7  -*•  MEDIUM 

RISK  =  7  -►  MEDIUM 

RISK  =  12->^H 

RISK  =  6  -*  LOW 

D. 

Unauthorized 

Alteration 

Threat  =  3  — >  M 
Vulnerability  =  3  — ►  M 
Consequence  =  4  — ►  H 

Threat  =  3  — >  M 
Vulnerability  =  3  — ►  M 
Consequence  =  3  — ►  M 

Threat  =  2  — ►  L 
Vulnerability  =  3  — >  M 
Consequence  =  2  —>  L 

Threat  =  4  — >  H 
Vulnerability  =  4  — ►  H 
Consequence  =  4  — ►  H 

Threat  =  2  — ►  L 
Vulnerability  =  2  — ►  L 
Consequence  =  2  — ►  L 

RISK  =  10 -► 

RISK  =  9->  MEDIUM 

RISK  =  7  -►  MEDIUM 

RISK  =  12 

RISK  =  6  -►  LOW 

E. 

Multiple  Designs 

Threat  =  3  — ►  M 
Vulnerability  =  3  — >  M 
Consequence  =  4  — >  H 

Threat  =  3  — >  M 
Vulnerability  =  3  — ►  M 
Consequence  =  3  — > M 

Threat  =  2  — >  L 
Vulnerability  =  3  — ►  M 
Consequence  =  2  — >  L 

Threat  =  5  — >  VH 
Vulnerability  =  5  — >  VH 
Consequence  =  5  — >  VH 

Threat  =  5  — >  VH 
Vulnerability  =  5  — »  VH 
Consequence  =  5  — >  VH 

RISK  =  10 

RISK  =  9  ->  MEDIUM 

RISK  =  7  -►  MEDIUM 

RISK  =  15  -► 

RISK  =  15  ->• 

F. 

Server 

Compromise 

Threat  =  4  — >  H 
Vulnerability  =  4  — >  H 
Consequence  =  5  — >  VH 

Threat  =  2  — ►  L 
Vulnerability  =  2  — ►  L 
Consequence  =  2  — ►  L 

Threat  =  2  —>  L 
Vulnerability  =  2  — ►  L 
Consequence  =  2  — ►  L 

Threat  =  5  ->  VH 
Vulnerability  =  4  — >  H 
Consequence  =  5  — >  VH 

Threat  =  4  — »  H 
Vulnerability  =  3  — >  M 
Consequence  =  3  — >  L 

RISK  =  13  -» 

RISK  =  6  ->  LOW 

RISK=  6  — >  LOW 

RISK  =14  — > 

RISK  =  10 

G. 

Alteration  Errors 

Threat  =  3  — >  M 
Vulnerability  =  3  — >  M 
Consequence  =  4  — >  H 

Threat  =  2  — ►  L 
Vulnerability  =  2  — ►  L 
Consequence  =  2  — ►  L 

Threat  =  2  —>L 
Vulnerability  =  2  — ►  L 
Consequence  =  2  — »  L 

Tlireat  =  5  ->  VH 
Vulnerability  =  5  — >  VH 
Consequence  =  5  — >  VH 

Threat  =  3  — >  M 
Vulnerability  =  3  — *  M 
Consequence  =  3  — >  M 

RISK  =  10 -► 

RISK  =  6  — ►  LOW 

RISK  =  6  —>  LOW 

RISK  =  15  -> 

RISK  =  9  ^  MEDIUM 

H. 

Management 

Errors 

Threat  =  2  —*■  L 
Vulnerability  =  2  — >  L 
Consequence  =  2  — >  L 

Threat  =  2  — ►  L 
Vulnerability  =  2  — »  L 
Consequence  =  2  — *  L 

Threat  =  4  — *  H 
Vulnerability  =  4  — >  H 
Consequence  =  4  — >  H 

Threat  =  5  ->  VH 
Vulnerability  =  4  — *  H 
Consequence  =  5  — >  VH 

Threat  =  4  — *  H 
Vulnerability  =  4  — >  H 
Consequence  =  5  — >  VH 

RISK  =  6  — >  LOW 

RISK  =  6  -*•  LOW 

RISK- 

RISK  =14  — > 

RISK  =  13— ► 
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Vulnerability:  Unauthorized  access  to  the  design  is  possible  if  adequate  security 
protocols  are  not  in  place.  The  degree  of  vulnerability  depends  on  the  security  of  the 
locations  where  the  design  infonnation  is  kept. 

Consequence:  Unauthorized  access  can  compromise  the  design  and  contracting 
information.  Unauthorized  distribution  and  design  changes  may  occur  and  not  be 
discovered. 

Recommended  Mitigation  Measures :  The  layers  of  security  that  protect  BIM 
information  must  be  in  place  and  evaluated  frequently.  Since  all  access  points  must  meet 
the  required  security  level,  there  should  be  security  protocol  agreement  at  the  initial 
meeting  of  the  USAF,  USAGE,  and  the  AEC  firm. 

Unauthorized  Alteration  of  Design. 

Threat:  Unknown  or  unauthorized  changes  in  the  design  can  occur  without 
detection.  This  may  be  inadvertent  or  deliberate. 

Vulnerability:  Once  there  is  access  to  the  BIM  information,  anyone  who  has  the 
knowledge  can  make  changes  to  the  BIM  design.  The  degree  of  vulnerability  is  based  on 
the  vulnerability  of  access  to  the  design. 

Consequence:  Unknown  or  unauthorized  changes  in  the  design  can  ultimately 
result  in  a  design  and  facility  that  was  not  originally  conceived  or  approved.  However, 
any  significant  alteration  will  eventually  be  discovered  so  the  effect  will  not  be 
substantial. 

Recommended  Mitigation  Measures :  A  design  team  should  be  designated.  This 
team  can  produce  read-only  designs  for  people  who  do  not  need  to  make  design  changes. 
The  design  team  should  be  the  only  body  authorized  to  makes  changes  to  the  design. 
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Additionally,  there  should  be  a  log  to  record  who  accessed  the  design  and  document  any 
changes  that  were  made.  A  backup  system  should  be  installed  to  memorialize  several 
past  designs  in  case  changes  need  to  be  undone. 

Multiple  Designs. 

Threat:  Since  BIM  operates  in  a  dynamic  and  multi-user  environment,  there  will 
be  multiple  users  making  design  alteration  within  their  purview.  This  will  result  in 
multiple  versions  of  the  design  and  there  will  need  to  be  a  process  to  incorporate  all 
changes  and  resolved  any  clashes. 

Vulnerability:  Multiple  versions  of  the  design  is  very  common  since  there  are 
multiple  users  contributing  to  the  model.  Designers  will  focus  on  their  specialty  leading 
to  multiple  version  of  the  design. 

Consequence:  Each  construction  specialty  will  edit  their  parts  of  the  design 
resulting  in  numerous  versions.  With  multiple  designs,  there  will  be  some  degree  of 
confusion  and  unnecessary  work  to  incorporate  all  the  different  versions  in  a  single 
model.  This  can  lead  to  construction  clashes  and  the  unnecessary  perfonnance  of  work 
based  on  the  wrong  design. 

Recommended  Mitigation  Measures :  Individual  design  changes  must  be 
discouraged  or  prevented.  The  project  team  must  approve  any  changes  to  the  original 
BIM  design.  Additionally,  the  person  who  makes  the  final  decision  and  approves  all 
changes  must  be  identified.  The  project  team  should  designate  a  design  entity  that  is 
responsible  for  control  the  master  copy  of  the  BIM  design.  This  entity  should  approve 
and  perfonn  any  changes  to  the  design.  The  legal  status  of  who  "owns"  the  design  must 
also  be  resolved  to  prevent  any  litigation  that  may  arise  after  construction  (Fumeaux  and 
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Kivits,  2008).  The  possibility  exists  that  individuals  who  make  changes  to  the  design 
may  stake  some  claim  to  the  final  design. 

Server  Compromise. 

Threat:  Since  BIM  exists  and  functions  on  an  electronic  platform,  this  platfonn 
must  be  networked  to  allow  for  collaboration  and  coordination  of  multiple  users.  The 
facility  design  is  susceptible  to  compromise  if  there  is  uncontrolled  access  to  this 
platform. 

Vulnerability:  In  order  for  BIM  to  be  dynamic  and  interactive,  it  must  operate  on 
a  server  to  allow  multiple  users.  With  multiple  users  accessing  the  BIM  design,  the 
chance  for  compromise  by  alteration,  distribution,  or  destruction  increases. 

Consequence:  The  compromise  of  the  BIM  server  can  result  in  the  alteration  and 
distribution  of  the  facility  design.  The  design  can  also  be  damage,  destroyed,  or  deleted. 

Recommended  Mitigation  Measures:  The  BIM  server  can  be  protected  by  having 
effective  IT  infrastructure  and  security  protocols  in  place.  Additionally,  personnel  must 
be  trained  and  vetted  to  ensure  they  know  how  to  operate  the  system  and  can  be  trusted. 

Alteration  Errors. 

Threat :  Revisions  and  edits  presented  by  the  three  agencies  may  result  in  a  design 
containing  errors  and  may  affect  the  construction  of  the  facility. 

Vulnerability.  With  a  relatively  large  amount  of  people  from  three  different 
agencies  making  or  suggesting  numerous  changes  and  updates  to  the  design,  there  is  the 
possibility  that  errors  may  be  included.  These  errors  may  go  unnoticed  since  there  are 
multiple  people  working  on  the  design. 
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Consequence :  Alteration  errors  will  produce  a  facility  design  that  contains  flaws. 
If  these  inaccurate  changes  are  not  detected,  the  construction  process  and  the  actual 
facility  or  it  composite  sections  may  be  also  be  flawed. 

Recommended  Mitigation  Measures:  The  three  agencies  must  designate  a  ‘design 
team’  to  coordinate  all  alteration  and  edits  to  the  design.  This  team  should  be  responsible 
for  compiling,  tracking,  and  performing  all  edits. 

Management  Errors. 

Threat :  With  three  separate  agencies  involved  in  federal  construction,  there  is  the 
possibility  that  there  will  be  conflicting  directions  from  different  personnel.  This  can 
result  in  duplication  of  effect,  errors  in  design,  and  possible  legal  claims. 

Vulnerability:  Numerous  inputs  from  different  agencies  can  result  in  errors.  The 
more  input  there  is  the  greater  there  is  the  chance  for  error. 

Consequence:  Management  errors  will  result  in  design  flaws  and  possibly  flaws 
in  the  facility  itself.  Additionally,  since  there  are  legal  contractual  requirements  for 
federal  personnel,  the  AEC  firm  can  file  claims  against  the  Government  for  following 
unauthorized  directions. 

Recommended  Mitigation  Measures:  The  project  team  must  identify  who  the  key 
decision-makers  are  and  what  their  level  of  responsibility  and  authority  is.  These 
decision-makers  should  coordinate  all  requirements  with  their  agencies  before  making 
presentations  to  the  other  agencies. 
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Risk  and  Cost 


The  amount  of  risk  the  project  team  is  willing  to  accept  affects  the  project  cost. 
Figure  2  shows  a  relationship  of  risk  planning  and  cost  using  three  curves.  Curves  1  and 
Curve  2  work  in  concert  with  each  other.  If  a  project  team  plans  for  a  high  degree  of  risk, 
initial  cost  for  mitigation  measures  will  be  high  and  if  a  risk  event  occurs,  there  will  be 
low  consequential  cost.  Conversely,  if  a  project  team  plans  for  a  low  degree  of  risk  and  a 
risk  event  occurs,  there  will  be  high  consequential  cost  since  fewer  mitigation  measures 
are  in  place.  Curve  3  is  the  combination  of  costs  from  Curve  1  and  Curve  2.  The 
intersection  of  Curve  1  and  Curve  2  lies  within  the  best  value  region  of  total  risk  costs. 
Management  Teams  should  balance  Curve  3  with  other  project  costs. 

This  concept  can  be  shown  by  considering  Risk  D  -  Unauthorized  Alteration:  an 
unwanted  change  to  the  design  may  go  undetected  and  cause  other  aspects  of  the  design 
to  be  flawed.  Once  the  mistake  is  discovered,  it  will  take  additional  man-hours  and  time 
to  correct  the  flaw.  The  mitigation  cost  in  this  example  will  be  to  invest  in  backup 
systems  to  record  the  design  at  various  stages  and  hire  additional  personnel  to  control 
design  inputs.  The  consequential  cost  is  the  time  and  man-hours  spent  on  tracing  the 
change  and  correcting  design  errors  caused  by  it.  The  project  team  must  decide  what 
risks  and  cost  they  are  willing  to  accept. 
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Figure  2  Relationship  between  cost  and  risk  (Bea,  2009) 


Conclusion 


The  AEC  have  advocated  the  benefits  of  BIM  and  federal  agencies  have  begun  to 
formulate  policies  for  its  implementation.  Federal  construction  will  be  impacted  by  this 
implementation  since  BIM  design  involves  changing  certain  procedures  that  are  used  in 
current  construction  process  using  2D  design.  While  BIM  has  tremendous  benefits  in  the 
production  and  collaboration  of  a  facility  design,  there  are  some  risks  associated  with  its 
use.  Some  of  the  features  that  make  it  more  efficient  than  conventional  design  are  the 
same  features  that  produce  vulnerabilities.  These  risks  are  especially  important  for 
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federal  construction  when  critical  infrastructure  is  involved  and  greater  security  is 
needed.  The  vulnerability  in  each  step  of  the  process  that  involves  BIM  must  be  analyzed 
to  identify  and  mitigate  any  potential  risk.  The  project  team  and  the  facility  owner  must 
decide  how  much  risk  they  are  willing  to  undertake  and  how  much  money  they  are 
willing  to  mitigate  risks.  They  must  balance  these  costs  and  risk  throughout  the  project 
since  each  phase  presents  different  levels  of  risk.  On  the  surface,  it  may  appear  that  the 
majority  of  risks  associated  with  BIM  seem  IT  related;  however,  the  federal  construction 
process  has  unique  requirements  that  must  be  considered  when  using  BIM.  The  authors 
understand  that  this  paper  is  an  initial  assessment  of  the  risks  associated  with  BIM 
implementation;  however,  it  provides  a  framework  for  further  investigation  by  other 
federal  agencies. 

References 

The  references  of  this  article  are  combined  with  the  thesis. 
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IV.  Conclusion 


Overview 

This  chapter  summarizes  the  results  and  findings  of  the  research.  The  literature 
review  provided  a  large  and  comprehensive  background  on  the  methods  used  in  the  study 
of  risk  analysis  and  risk  management.  The  majority  of  these  methods  were  based  on  the 
management  and  governing  policies  for  the  particular  operation  for  the  risk.  The  risk 
management  decisions  for  the  given  process  were  based  on  the  information  gathered  from 
the  risk  analysis  and  the  policies  governing  the  operation.  The  majority  of  studies 
indicated  that  risk  management  must  consider  the  integration  of  the  components  of  risk- 
threats,  vulnerabilities,  and  consequences;  in  the  methods,  management,  and  application 
of  risk.  This  integration  was  seen  in  the  case  studies.  The  literature  review  also  revealed 
there  was  a  strong  relationship  among  the  four  major  components  of  MILCON.  This 
relationship  was  very  close  for  the  Cl  and  IT,  where  IT  was  sometimes  considered  a  Cl 
on  its  own.  In  addition,  contract  and  cost  were  closely  linked  since  a  contract  is  created 
for  the  performance  of  work  based  on  an  agreed  cost. 

The  risk  analysis  of  BIM  implementation  showed  the  significant  role  that  IT  plays 
in  the  MILCON  process.  The  analysis  also  revealed  that  although  most  of  the  risks  are 
IT-related,  there  are  other  risks  involving  the  federal  construction  process.  The  BIM 
implementation  risk  analysis  also  showed  the  importance  of  the  cost  of  risk  in  a 
construction  project  where  the  cost  of  mitigating  a  risk  was  compared  to  the 
consequential  cost  of  a  risk  occurring.  The  analysis  indicated  that  the  project 
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management  team  must  consider  the  total  risk  cost  for  the  project  and  balance  this  risk 
cost  between  mitigation  measures  and  the  cost  of  the  consequences  of  the  risk  occurring. 
The  study  recommends  a  best  value  region  for  risk  cost  based  on  the  total  project  cost  as 
shown  in  Figure  2. 

Significance  of  Research 

The  finding  in  this  research  shows  that  risk  analysis  and  risk  management  is  an 
important  factor  in  construction  and  knowledge  gained  from  risk  research  can  be 
incorporated  into  the  federal  construction  process.  The  literature  review  provides  a 
starting  point  for  further  detailed  research  into  the  specific  areas  of  risk  in  construction. 
This  literature  review  can  be  used  as  a  database  of  research  into  construction  risk  and  aid 
in  raising  questions  and  suggesting  areas  for  further  investigation. 

The  risk  analysis  of  BIM  implementation  identified  the  specific  risks,  the  severity, 
the  consequences,  and  possible  mitigation  measures.  It  provides  a  framework  for  other 
investigations  into  the  specific  threats,  vulnerabilities,  consequences,  and  mitigation 
measures  presented.  As  BIM  is  implemented  by  other  federal  agencies,  this  research  can 
provided  an  overview  of  some  of  the  risk  involved  so  stakeholders  will  have  information 
to  make  risk  management  decisions. 

Future  Research 

The  research  presented  in  this  thesis  can  be  used  as  a  source  of  reference  for 
further  study  of  risk  into  the  specific  areas  of  concern  for  an  organization.  Although 
there  are  several  existing  methods  for  conducting  risk  analysis,  further  research  to  other 
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methods  with  specific  application  to  federal  construction  will  be  beneficial.  A  central 
area  of  focus  is  the  development  of  a  more  robust  model  to  analysis  undefined  threats 
such,  terrorism  and  natural  disasters.  In  addition,  a  quantitative  risk  formula  will  remove 
some  of  the  bias  and  limit  personal  perspective  from  risk  management  decisions.  Areas 
that  warrant  further  studies  include: 

•  Quantitative  risk  fonnula 

•  Risk  analysis  methods  for  terrorism  and  natural  disaster 

•  Policy  for  AEC  risk  management  for  federal  construction 

•  Status  of  risk  management  by  other  federal  agencies 

•  Interaction  of  BIM  with  other  IT  processes,  such  as  GIS  and  contracting 
documents 

•  The  cost  of  BIM  implementation:  software,  additional  hardware,  network 
configuration,  maintenance,  training,  value  to  USAF 

Summary 

Risk  is  an  inherent  aspect  of  any  project  or  operation  and  it  must  be  considered 
during  the  design  and  construction  of  USAF  facilities  and  infrastructure.  A  risk  analysis 
of  an  operation  helps  detennine  the  threats,  vulnerabilities,  and  consequences  for  a 
particular  process.  An  integrated  view  of  these  components  of  risk  is  used  in  risk 
management  where  decision-makers  balance  the  cost  of  risk  mitigation  and  cost  of  risk 
consequences. 

The  risk  analysis  of  BIM  implementation  shows  there  are  significant  IT-related 
risks  in  using  BIM.  By  knowing  and  understanding  the  specific  threats,  its  significance, 
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and  its  cost,  management  can  choose  to  mitigate  the  risk  or  accept  the  consequences.  An 
operation  can  be  made  safer  by  investing  a  large  amount  of  money  in  mitigation 
measures;  the  project  management  team  must  balance  how  much  money  to  spend  and 
how  much  risk  to  accept. 
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